DLP profile can be configured in the Flow/proxy feature set, and the SSL/SSH inspection can be set to Certificate Inspection only if the HTTP traffic (clear-text) needs to be filtered using DLP. If any other encrypted traffic needs to be filtered, it is mandatory to use deep inspection, and the SSL certificate should be installed on the Client PC. 

Below is the configuration of DLP to monitor Credit Card numbers through HTTP traffic. 

1. Enable DLP:

Go to System -> Feature Visibility and enable it.

2. Configure Dictionary:

config dlp dictionary
    edit "CC"
        set uuid a616a146-c535-51f0-2e03-f9c993cc5bb3
            config entries
                edit 2
                    set type "regex"
                    set pattern "(?:\\d[ -]*?){16}"  
                next
            end
    next
end

3. Configure Sensor:

config dlp sensor
    edit "CC"
        config entries
            edit 1
                set dictionary "CC"
            next
        end
    next
end

4. Configure the rule and save the profile:

    

config dlp profile
    edit "CreditCard"
        set feature-set proxy
            config rule
                edit 1
                    set name "CreditCard"
                    set type message
                    set proto http-post
                    set filter-by sensor
                    set sensor "CC"
                    set action log-only    --> Currently, the action is set to log the desired traffic.
                next
            end
    next
end

5. Configure the policy to use the newly created DLP profile:

config firewall policy
    edit 1
        set name "Allow-all"
        set uuid 07f14d26-c522-51f0-d138-7d1ce932b6e6
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "certificate-inspection"
        set av-profile "default"
        set dlp-profile "CreditCard"
        set logtraffic all
        set nat enable
    next
end

Notes:

• In this profile, the SSL-SSH profile is called 'certificate inspection', which will not perform a deep inspection. 
• In the 'certificate inspection' profile, 'inspect all ports' is disabled as this specific communication is happening over the standard HTTP port 80. If it is required to use any custom port for the communication, the 'inspect all ports' option needs to be enabled.

6. Testing:

http://10.5.146.51:80 is the server configured to transfer the message or cleartext files using the HTTP service, and 10.50.17.161 is the client PC that tries to send the file or message.

This test is performed using the curl post method to initiate and receive the traffic in the desired manner.

The file 't.txt' has the Credit Card number saved in it. 

7. Verification:

date=2025-11-23 time=10:48:11 eventtime=1763891290979615411 tz="+0100" logid="0954024577" type="utm" subtype="dlp" eventtype="dlp" level="notice" vd="root" filteridx=1 filtername="CreditCard" dlpextra="CC" filtertype="sensor" filtercat="message" severity="medium" policyid=1 poluuid="07f14d26-c522-51f0-d138-7d1ce932b6e6" policytype="policy" sessionid=4018035 epoch=1242834703 eventid=1 srcip=10.50.17.161 srcport=50777 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="add1a27c-c513-51f0-7f77-55c5b5e7e01a" dstip=10.5.146.51 dstport=80 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" dstuuid="add1a27c-c513-51f0-7f77-55c5b5e7e01a" proto=6 service="HTTP" filetype="N/A" direction="outgoing" action="log-only" hostname="10.5.146.51" url="http://10.5.146.51/" agent="curl/8.13.0" httpmethod="POST" profile="CreditCard"

This confirms that the Credit Card information sent in the txt format has been matched to the DLP profile, and it took the action which was set to 'log-only'.